Skype disables password resets over big security flaw

Posted November 14, 2012 - 08:11
by
Emma Woollacott

Skype has rolled out a fix for a critical security bug.

Update (11AM PST), official statement from Skype:

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address.

" We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properlyWe are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience."

***
Skype has disabled password resets, in response to a security vulnerability that allows accounts to be hijacked with only the user's email address.

Almost unbelievably, it's possible for a hacker to sign up to Skype for a new account using the same email address as the target. The hacker can then reset the password, not just for that account, but for all accounts with that email address.

While the genuine user would see what was happening if they were signed in to Skype at the time, they'd need to act quickly to stop the hijack.

The vulnerability was first uncovered by a team of Russian hackers - several months ago - and posted on the Xeksec site. It has since been verified by The Next Web.

Microsoft-owned Skype's promised to look into the flaw, and has in the meantime taken action to stop anyone exploiting it.

"We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further," says the company. "We apologize for the inconvenience, but user experience and safety is our first priority."

The Russian hackers who discovered the exploit say they warned Skype some time ago, but the company took no action. It's not the first time that Skype's been accused of dragging its heels over a security fix, most notably when it took 18 months to repair a hole that revealed users' IP addresses and other data earlier this year.